There’s been a lot of press lately about the EU court’s ruling in the case Schrems vs Facebook as it pertains to something called Safe Harbor. What really are we talking about? Turns out that really, there’s no such thing as Safe Harbor when it comes to data. Originally, the EU Data Protection Directive which became effective in 1998 had a section in it called the “Safe Harbor Principles” which meant that while European firms were generally prohibited from transferring or otherwise copying personal data overseas, there’s the except to anywhere that “voluntarily agreed to meet EU standards”. So what did that mean in practice?
What’s safe harbor anyway?
Well as there was no actual verification or certification of compliance for these foreign entities, anyone could “volunteer” and then the EU firm could shuffle the data over there at will. To streamline the, what would you call it, the volunteering process the U.S. Department of Commerce worked with the European Commission to draft what it called the “safe harbor framework” which the EU approved in 2000. Go to the www.export.gov website even today and look up safe harbor and you’ll see a lovely little box that says “we self-certify compliance with U.S. – EU Safe Harbor”. Wow. So I “volunteer” and then I “self-certify” and then I can do what-ever I want with EU data? Good deal!
So what is “safe harbor”? Well it’s the provision that says a certain conduct, even though normally totally inappropriate, will be deemed not to actually violate the law. Not a great premise to begin with.
The court challenge
So it should come as no surprise to anyone that eventually this let’s pass really strict privacy laws, and then ensure that we don’t actually have to follow them would be called into question. The EU courts ruled straight away that any so-called “safe harbor” principles did not cut it when it comes to protecting EU data. Turns out that the supposed European Commissions finding of “adequacy” when it comes to US companies handling EU data was not worth the paper it was printed on. Was this something we didn’t see coming? No-way! Article 8(2) of the European Human Rights Convention states:
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Well Snowden showed us what the U.S. thinks of this type of human rights, how could we ever think that they would be a Safe Harbor? You see the real issue here is that the US has no general privacy law.
The European Court of Justice ruled specifically on four points:
- There is no general privacy law or other measures enacted in the US that shows the US offers “an adequate level of protection” for personal data relating to European data subjects;
- Public law enforcement authorities which obtain personal data from organisations in Safe Harbor are not obliged to follow the ‘Safe Harbor’ rules after disclosure;
- Some US law enforcement agencies can gain access to personal data in ‘Safe Harbor’ without having any law that legitimises their access; and
- The European Commission knew all the above and knew that personal data was possibly being used for incompatible and disproportionate purposes by law enforcement agencies.
… And so it was written… No U.S. company could store data on European citizens and European companies could not store their data inside the U.S.
What??? Are you crazy? That’s not at all what this means!
If you get on a plane and fly to the U.S. and you provide your personal data willingly, as a tourist, say to purchase something or stay at a resort, you chose to be there and to comply with their laws, your EU rights don’t follow you there. Well turns out the same thing is true online, no “Safe Harbour” – no problem, just tell the users and make sure that your T&Cs grant you permission to ignore the EU rules.
So if “safe harbor” not only never existed but never mattered – so what?
The real issue behind the court ruling is that some businesses have been telling their customers that they comply with EU laws, and it turns out they actually don’t. Put it simply, they lied. This is not much different to false advertising. That’s the nature of the January 31, 2016 deadline. If you’ve been lying to your customers about offering EU data protection, and the courts and governments cannot find a way to legitimatise your lie, you have until the end of January to do something about it. Fair enough.
This means that U.S. businesses operating with EU data may have to store that data within the EU in order to comply, that or get their users explicit consent not to. The issue is whether (or not) “powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers,” as that’s the real crux of the matter.
Does that mean that if it’s an EU company, and the servers are in the U.S. that’s ok? Does that mean the data is safe once it’s stored in the EU regardless of whether the company is from the U.S. or not? Well think about this… we got here because it’s just so darn easy to transfer data around the world! Would you trust your data to a server run by the U.S. NSA just because it’s physically located in the EU? Hey, it’s not like the Americans have ever spied on anyone outside of the US before right? Are we really that fussed about what country it’s in – or are we really only concerned with who can get to it?
What’s the big deal about data anyway?
Underlying all of this noise about personal data privacy is a fundamental difference in how we, in Europe, regard data and how many other countries (including the U.S.) regard data. We have this notion of privacy that says my actions, my thoughts, my “data” are my own unless it can be proven that I’m a threat or have broken some kind of law. In essence, I, as the subject of the data, own the data and do not have to share it. It’s like the laws we have in the UK about not building platforms or installing windows that can over-look my neighbours, it’s just not done, it wouldn’t be proper.
In the US on the other hand, if I wanted to build an observation platform on my roof and install my own cameras shooting a 360° panorama 24-hours per day, that would be just fine! Caught the neighbours out in their garden doing something inappropriate? Well Uncle Sam says that you should report them for the good of the state! You see in the U.S. and many other parts of the world, I as the object, the collector of the data, own it and can do just about anything I want with it. If the neighbours wanted privacy they should have stopped me from watching with a roof, higher walls, something!
Who’s this Schrems guy anyhow?
The actual court case that started all this guffaw was brought by an Austrian fellow by the name of Schrems against Facebook. His claim, after the revelations of WikiLeaks was that Facebook was enabling U.S. agencies like the NSA to harvest data on European citizens, and so he applied to the Irish Data Protection Authority (you see Facebook is incorporated in Ireland within the EU) to put a stop to it. The Irish Data Protection Authority simply rejected the claim as it was covered under “Safe Harbor”. Well Mr. Schrems wasn’t going have any of that, so he appealed with the European Court of Justice, and that’s how we got here.
It does however make you wonder, what would happen if Mr. Schrems travelled to the U.S. and the hotel he stayed at asked for his personal information? Would he refuse? If so, would the hotel refuse him accommodation? In other words, what made him think that by choosing to be on Facebook he had any EU protection at all? The mater is really that Facebook didn’t explicitly tell him that his data was not safe and may be shared with the U.S. authorities (and who know who else!).
Did europe create this mess in the first place?
It’s very easy to put the blame of all this on the U.S. and their prying eyes, however the situation on the ground in Europe is much more complex than that. Today there are 26 different implementations of the EU’s Data Protection Directive (DPD) overseen by 28 different regulatory bodies! What the ECJ rulings really did was just shine light on the absolute mess EU regulators have made around what citizens and businesses can and cannot expect of their personal data and privacy. The Article 29 Working Party sets to put all this straight, clean up the mess, and settle once and for-all how EU rules interact with the rest of the world. What this will do is a double-edged sword. Sure it will mean that service providers offering compliance with the various laws of their chosen areas of operation will no-longer be forced to guess or lie about their compliance, as it will be clear who complies and who opts not to. It also means however that for the first time, service providers will likely face a share of the responsibility as “data protectors” when it comes to loss and data disclosure. They’ll no-longer be able to simply pass the responsibility (blame?) to their customers, the businesses controlling the data, and they’ll likely have to report breaches, even if their customer would prefer to keep it quiet and not tell anyone.
What’s a (cloud) service provider to do?
Previously a service provider would deliver a one-size-fits-all solution that would operate in the country or countries most suitable to them and would offer resiliency and fail-over to the secondary sites chosen by them, and wouldn’t spend any time at all thinking about what data they were storing. If the regulations change, it means that providing this “don’t ask don’t tell” style of service will no longer be possible. Service providers will have to come clean, offer transparency to their customers about how the data is being stored, transferred and replicated, and from where to where. This may well cause the prices of many cloud services to go up as providers will have to make choices based not only on cost-optimisation but also on regulatory policy.
It also means that you’re going to see service providers being forced to be much more consultative with their customers, taking the time to understand how their customers operate, what they do, and what laws may apply. This won’t be good for many providers not designed for this style of service.
What’s a cloud user to do?
Well good news, many cloud providers are actually already very well prepared for these changes! You see some are front-runners, already following things like ISO 27001, which unlike the silly “self-certification” of Safe Harbor is a real certification that involves detailed audits and documented procedures. Certifications like ISO 27001 include many of the same points as the new European General Data Protection Regulations (GDPR), which will replace the current shamble of laws in the DPD and the broken safe harbour privileges.
Other cloud providers, Amazon for example, have already been in talks with the EU working group and developed their own policies, procedures, terms, conditions and legal agreements to comply with the new regulations in their own way.
The main point to be concerned with here, is that in 2015, post safe harbor, there is no safe harbor! A business using the cloud who wants to be safe from threat of prosecution must understand that they will share a real financial risk and liability together with their service provider. There’s no easy path to “self-certify” and relax, providers will likely be required to report security breaches to the authorities, there will be no-where left to hide.
“in 2015, post safe harbor, there is no safe harbor!”
Businesses need to form a much closer relationship with their service providers and favour those service providers who are ahead of the curve, pursuing and maintaining real certifications like ISO 27001, CSA-STAR, etc. and those who can add meaningful intelligence to the questions surrounding data security and data privacy.